CVE-2022-47381
📋 TL;DR
This vulnerability allows authenticated remote attackers to exploit a stack-based out-of-bounds write in multiple CODESYS products, potentially leading to denial-of-service, memory corruption, or remote code execution. It affects industrial automation systems using CODESYS software across multiple versions. Attackers must have authenticated access to exploit this vulnerability.
💻 Affected Systems
- CODESYS Development System
- CODESYS Runtime systems
- CODESYS Control systems
- CODESYS Gateway
📦 What is this software?
Control For Wago Touch Panels 600 Sl by Codesys
View all CVEs affecting Control For Wago Touch Panels 600 Sl →
Control Rte \(for Beckhoff Cx\) Sl by Codesys
View all CVEs affecting Control Rte \(for Beckhoff Cx\) Sl →
Hmi Sl by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to take control of industrial control systems and potentially cause physical damage or operational disruption.
Likely Case
Denial-of-service conditions disrupting industrial operations, with potential for memory corruption leading to system instability.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent unauthorized access to CODESYS systems.
🎯 Exploit Status
Requires authenticated access; exploitation involves triggering specific conditions to cause stack-based buffer overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: CODESYS V3.5.19.0 and later versions
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=17554&token=5444f53b4c90fe37043671a100dffa75305d1825&download=
Restart Required: Yes
Instructions:
1. Download the latest CODESYS version from the vendor portal. 2. Backup current configurations. 3. Install the update following vendor instructions. 4. Restart affected systems. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate CODESYS systems from untrusted networks and implement strict firewall rules.
Authentication Hardening
allImplement strong authentication mechanisms and limit user privileges to minimum required.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to CODESYS systems only from trusted sources.
- Monitor for unusual authentication attempts or abnormal system behavior that might indicate exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check CODESYS version against affected versions listed in vendor advisory; systems running versions prior to V3.5.19.0 are vulnerable.Check Version:
In CODESYS Development System: Help → About; In Runtime systems: Check system information via CODESYS tools or command line depending on platform.Verify Fix Applied:
Verify CODESYS version is V3.5.19.0 or later; check vendor advisory for specific fixed versions for different products.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login and unusual memory access patterns
- System crashes or abnormal termination of CODESYS processes
- Unexpected network connections to CODESYS ports
Network Indicators:
- Unusual traffic patterns to CODESYS default ports (e.g., 1217, 2455)
- Authentication requests from unexpected sources
SIEM Query:
source="codesys" AND (event_type="crash" OR event_type="memory_violation") OR (auth_success=true AND src_ip NOT IN trusted_networks)